[161955] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Ben Aitchison)
Thu Mar 28 23:44:42 2013
Date: Fri, 29 Mar 2013 16:44:19 +1300
From: Ben Aitchison <ben@meh.net.nz>
To: Tom Paseka <tom@cloudflare.com>
In-Reply-To: <CAL89Sg+XDKc=_6UWosAZ=wyPJb9tm2GaN0-vDk8Kyiji+vEUUQ@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Mar 26, 2013 at 07:07:16PM -0700, Tom Paseka wrote:
> On Tue, Mar 26, 2013 at 7:04 PM, Matthew Petach <mpetach@netflight.com>=
wrote:
>=20
> > On Tue, Mar 26, 2013 at 6:06 PM, John Levine <johnl@iecc.com> wrote:
> > >>As a white-hat attempting to find problems to address through legit=
imate
> > means, how
> > >>do you =E2=80=A6
> > >
> > > You make friends with people with busy authoritative servers and se=
e
> > > who's querying them.
> >
> > I'm confused. Don't most authoritative servers have to
> > answer to just about anyone in order to be useful?
> >
> > Matt
> >
>=20
> Authoritative DNS servers need to implement rate limiting. (a client
> shouldn't query you twice for the same thing within its TTL).
unbound with it's dns-prefetching queries a dns servers again in I think =
the last 10% of ttl when
returning hit to client to refresh ttl and keep it current.
To me this doesn't seem excessive, and will improve performance for regul=
arly accessed sites with
short ttls which are quite common now (google, facebook, etc)
It'd break if doing that extreme rate limiting. But so would things like=
rebooting a dns server,
I think if rate limiting is done it has to be on the leniant side.
Also how do you know that the dns resolver got a successful reply? Just=
because you've received
a packet from a client doesn't mean that you can reach the client. So if=
there's one way traffic
or excessive dual way packet loss the chances of prematurely blocking cli=
ents and creating longer
outages is too great.
That said, a lot of these amplifications attacks use ANY requests, which =
normal clients don't. And
those could be rate limited down without effecting normal traffic I'm sur=
e.
Ben.
